The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published an alert to all companies in America to take prompt action to get ready for attempted cyberattacks using a new wiper malware employed in targeted attacks on government institutions, non-profit organizations, and IT companies in Ukraine.
The malware – known as Whispergate – disguise as ransomware and creates a ransom note if executed; nevertheless, the malware does not have the functionality to permit files recovery. Whispergate includes a file corruption, a Discord-based downloader, and Master Boot Record (MBR) wiper. The MBR is the part of the hard drive, which determines how and where an OS is located. Deleting the MBR will cause an infected device’s hard drive inaccessible.
The Microsoft Threat Intelligence Center (MSTIC) has lately conducted a study of the new malware. The initial phase of the malware, usually referred to as stage1.exe, deletes the MBR and stops the loading of the operating system. The malware is deployed as soon as an infected device is shut down and creates the ransom note. The second phase of the malware, stage2.exe, involves a file corruptor that operates in the memory and corrupts data files according to hardcoded file extensions to stop the recovery of the files.
To date, attacks have been carried out on targets in Ukraine, however, there is a threat of wider attacks. Wiper malware like this has been employed to attack businesses in Ukraine in past times and in much wider attacks around the world. In 2017, the NotPetya wiper was employed to attack companies in Ukraine and was sent in a supply chain attack through legal tax software program. NotPetya attacks were additionally executed internationally resulting in serious problems to IT solutions and substantial loss of data. NotPetya is considered to have been employed by a Russian hacking gang called Voodoo Bear/Sandworm.
The Ukrainian government believes that the attacks are being performed by an Advanced Persistent Threat (APT) group identified to have good connections with Belarus. There is a genuine concern that the same attacks may happen in the US employing Whispergate, particularly on critical infrastructure organizations and organizations having connections with Ukraine.
CISA has published an Insights bulletin giving details on steps that may be undertaken to guard against the malware threat and minimize the probability of a terrible cyber attack. The bulletin likewise consists of guidance on how to immediately identify and react to a likely attack, and how to increase resilience to a harmful cyber threat.